Blog

GDPR: Big fine for British Airways

10/07/2019

The British data protection authority - the Information Commissioner’s Office (ICO) - has imposed a fine of approximately 205 million euros on British Airways. It was announced on 8th July 2019. This is the first instance of a penalty imposed by the UK authority related to GDPR. At the same time, this fine may also be the highest one in Europe so far.

But what exactly did British Airways do wrong? The ICO has found that between August 2018 and September 2018, personal data of about 500.000 individuals had been stolen from the British Airways servers due to a security lapse that the aircraft operator had been responsible for.

It is believed that while the data has been stolen, it was probably not misused or made public.

Such an incident represents a breach according to GDPR guidelines. The GDPR guidelines state that appropriate security measures must be put in place by data processors to avoid such loss or unauthorised disclosure of personal data. In the present case, a lack of IT security led to the theft of the data. This lack of adequate security measures can be classified as a breach of the relevant GDPR regulation. In such cases of a large number of affected persons, it is sufficient to make a public communication of the data violation.

In this context, it has to be mentioned that British Airways themselves notified the ICO of the data breach, and cooperated fully with the ICO. Considering these facts, it also seems probable that the airline also notified the concerned individuals in a proper way.

The amount of the penalty levied has been set at 1,5% of the company’s annual turnover of the year 2017. The airline’s parent company International Airlines Group’s chief Willie Walsh has announced that the group plans to appeal the ICO’s decision, which has not come into force yet.